Information Security Management

Information Security Policy

To strengthen the company’s resilience in information security (infosec) and respective management mechanisms, we have integrated an approach from the corporate governance perspective by putting in place a comprehensive set of infosec policy, conducting regular cybersecurity drills, and organizing employee education and training to enhance overall infosec awareness. The ASEH Information Security Policy provides the highest level of management guidance to protect the confidentiality, integrity and availability of critical information assets, and to ensure compliance with relevant laws and regulations. With a robust infosec policy in place, ASEH is well positioned to boost customer trust, strengthen industry competitiveness, and maintain business continuity. We assess information security risks in accordance with regulatory requirements and business goals, and provide a status report to the senior management and the Board. The report offers a succinct overview of the infosec challenges and the current status, and forms the basis for the management and the Board to formulate additional guidelines, strategies and targets.

ASE Technology Holding Co., Ltd Information Security Policy

Information Security Management Organization

During Richard H.P. Chang’s tenure as General Manager, he managed ASE’s key operations, administration, and major affairs. In terms of information security, the Corporate Sustainability and Information Security Management Committee was established under the Board of Directors, chaired by Richard H.P. Chang, the current Vice Chairman of ASEH. The committee is responsible for overseeing the development of ASEH’s overall information security strategy and maturity benchmarking, planning and supervising enterprise-wide cybersecurity risk management, monitoring the implementation of information security operations across subsidiaries, and coordinating the integration and communication of internal and external technical resources and threat intelligence. These collective efforts aim to enhance ASEH’s information security capabilities and reduce potential threats and risks. ASEH’s Chief Information Security Officer (CISO), a position created by the Corporate Sustainability and Information Security Committee is concurrently held by the Chief Administrative Officer and Head of Corporate Governance, assumes responsibility for the establishment of the information security management framework that includes regular reviews with all subsidiaries of ASEH and implementing incident response plans. The committee provides a status report to the Board of Directors in the last quarter of each fiscal year. In addition, the Executive Secretariat of the Company's Corporate CSR Division is responsible for promoting and executing information security-related work, and each subsidiary appoints its information security team as members of the committee to be responsible for implementing information security operations as resolved by the Information Security Management Committee. We regularly hold quarterly meetings of the Information Security Management Committee of ASEH to report and discuss the progress of our information security work, and invite external experts to share information security trends and significant issues.

Information Security Management Targets

As our business continues to grow, the amount of information generated have also increased exponentially. Safeguarding the confidentiality, integrity and availability of information forms the cornerstone of ASEH’s information security management. Besides identifying internal and external information security risks and formulating countermeasures, we regularly implemented the NIST CSF maturity assessment in all facilities every year. Our cybersecurity policies are formulated to ensure the highest level of network and system protection and mitigation of impacts from any disruption. At the same time, education and training are actively conducted to enhance employee awareness on the importance of information security and prevent major data breaches. Building resilience through a robust information security management system is key to corporate sustainability and will greatly boost stakeholder satisfaction.

Information Security Implementation and Safeguards

Cybersecurity Maturity

To effectively manage the adjustments and enhancements made to the cybersecurity strategy and cybersecurity defense system of each subsidiary, ASEH began implementing the NIST CSF maturity assessment mechanism in partnership with third-party consultants in 2019. The overall maturity level in cybersecurity was assessed based on five key indicators: Identify, Protect, Detect, Respond, and Recover. We have been gradually shifting our focus to refining and deepening our cybersecurity requirements. Each factory site can undertake individualized cybersecurity enhancements based on their own maturity assessment results and recommendations for improvement. We benchmark ourselves against the semiconductor industry and vow to understand our own cyber environment better. We assess the risks that impact each subsidiary in different cybersecurity areas, countries, or operations and consolidate resources to provide better guidance and support. Our goal is to implement and continuously improve the foundational cybersecurity management across businesses. In 2024, we proceeded with the last year’s maturity assessment mechanism and continued to collect data on individual subsidiary’s current cybersecurity management and control as well as cybersecurity frameworks and policies regarding NIST CSF’s five assessment dimensions. In addition, driven by the digital transformation, the convergence between IT and OT is becoming increasingly close. In particular, the scope of horizontal implementation is extending from IT to OT with the goal of aligning the cybersecurity maturity of OT closer to that of IT. This approach is adopted to gradually enhance the cybersecurity defense capabilities of critical operational systems within the company. In 2024, we engaged PwC Taiwan to continue the maturity assessment process. Using consistent vertical quantitative metrics, the assessment covered areas such as policy maturity, control maturity, management maturity, audit maturity, and supply chain maturity. The results provided concrete insights to progressively strengthen the cybersecurity defense capabilities of the company’s critical operational systems.

Cybersecurity Risk Identification and Management

We engage third-party audit firms annually to conduct information security audits, system vulnerability scans, and penetration testing to ensure that its information systems and network environments comply with security implementation standards. These efforts help enforce information security policies and customer privacy protection measures, effectively preventing the leakage of trade secrets and customer data. Tools used include Nessus for vulnerability scanning, BitSight for security ratings, the SecurityScorecard platform for analysis, and Red Team Assessments to evaluate system defense capabilities and incident response maturity. Additionally, the company provides monthly BitSight security rating reports to all sites for reference and continuous risk management improvement.

As we enter the era of digital transformation, we are not only continuing to strengthen cybersecurity measures, but also extending our expertise to the Operational Technology (OT) domain. Since 2022, we launched an OT cybersecurity assessment program, engaging external experts to identify and test potential risks in OT systems. In 2024, a total of seven sites completed the OT assessments, progressively building a cross-domain integrated cybersecurity defense framework.

In addition to external audits, ASEH also conducts regular internal self-assessments of its Information Security Management System (ISMS) based on the NIST Cybersecurity Framework (CSF) and ISO 27001. These assessments evaluate the effectiveness of risk management, control measures, and incident response processes, and the results are reported to senior management and the Board of Directors. In the event of an unexpected cyberattack, the Information Security Management Task Force promptly convenes technical response meetings to analyze and review defense strategies, building a synchronized and comprehensive security network to respond to threats in real time.

In addition to managing operational risks from the perspective of corporate governance, we try to increase employees’ cybersecurity awareness and enhance organizational operational capabilities as part of our focuses in cybersecurity management. All employees at ASEH must receive PIP cybersecurity educational training, including cybersecurity policy, cybersecurity management framework, cybersecurity control measures, etc. In 2024, a total of 147,289 individuals completed 89,371 hours of training courses. Additionally, occasional social engineering email drills were conducted to enhance employees' awareness of social engineering attacks through emails. Additionally, we will gradually introduce systematic management mechanisms to incorporate participation in cybersecurity meeting, educational training, incident management, confidential file labeling, antivirus/software security, and other cybersecurity-related projects in a systematic manner. Moreover, KPI monitoring and audits are conducted, extending the scope of management, and reaching every employee and every endpoint device. This will be integrated with employees’ performance to reduce penalties and legal liabilities resulted from violations against cybersecurity regulations, as well as the impacts on business operations.


Increasing Cyber Resilience

In 2024, no major information security incidents occurred at the company. To strengthen our cybersecurity response and protection capabilities, the company established a well-defined set of "IT Security Incident Reporting and Emergency Response Procedures". The procedure serves as a unified employee guideline that outlines detailed specifications, including incident classification, response team structure, severity level determination, reporting and handling procedures, incident monitoring and closure, follow-up investigations, corrective actions, and evidence collection. Cybersecurity incident drills are also conducted regularly to enhance employees' awareness and improve response efficiency.

The ASEH Information Security Management System further integrates cyber threat intelligence sharing and incident reporting, two core functions that enable real-time monitoring of internal and external threats, ensure timely reporting and resolution of incidents, and significantly enhance overall risk visibility and collaborative defense capabilities. With the increase in cybersecurity threats and the risks they pose to business operations, we have adopted a risk-based approach by securing cyber insurance coverage for the company. This added layer of protection allows us to respond swiftly to incidences and contain the impact of any cyberattacks, minimizing potential losses to the company operations, customers, supply chain partners and facilitating rapid business recovery.

To ensure the sustainable operations of important businesses and prevent interruption of critical information systems as a result of material cybersecurity incidents, we conduct an incident recovery drill every six months which lays out the organizational structure diagram, scope, duration, critical information systems, participating units, participating personnel and their assigned tasks, backup personnel for the drill, implementation steps and processes of the drill, required resources, data recovery from backup, risk management during the drill, post-drill review and improvement processes, among others. The purpose is to ensure the company can leverage disaster response capabilities and disaster recovery mechanisms to quickly restore operations to a normal or acceptable level for the business, achieving the goal of uninterrupted operations of critical information systems. The drill will continue to be implemented to provide maintenance, management, and training to ensure the effectiveness of the backup systems.


Information Security Information Exchange

ASEH works closely with government agencies, local and international information security organizations including FIRST, Taiwan Computer Emergency Response Team/Coordination Center (TWCERT/CC), and High-tech Information Security Alliance. As a member of the SEMI Semiconductor Cybersecurity Committee, we are actively driving the industry’s adoption of SEMI E187 – Specification for Cybersecurity of Fab Equipment, a Taiwan-initiated security standard. Adopting the relevant infosec regulations, standards and industry intelligence allow us to integrate our internal management systems and expertise, to develop a comprehensive set of capabilities that will further strengthen our resilience.

At the same time, we are committed to meeting the expectations from our upstream and downstream supply chains and stakeholders on matters related to information security. ASEH’s strong and robust security defense leads to a tightly-secured smart manufacturing environment and increases the company’s competitive advantage as a sustainable enterprise.


Supply Chain Cybersecurity Management

As a result of the digitization of the supply chain and the exchange of large volumes of data, the supply chain is faced with unprecedented cybersecurity risks. To effectively improve cybersecurity resilience across the supply chain, starting from 2022, ASEH has established the Supplier Cybersecurity Assessment and Execution System, which primarily focuses on critical suppliers. A total of 96 supplier cybersecurity assessments were conducted in 2024, following a four-step process consisting of current situation assessment, guidance for improvement, results confirmation, and cyclic survey. The scope of assessments will be gradually expanded and a cyclic regular survey conducted every three years to construct a comprehensive cybersecurity management mechanism, ensure stable business operations, increase cybersecurity resilience, and further improve the overall cybersecurity environment and level in the semiconductor industry.

Information Security Certification and Information Security Measures Promote Results

Information Security Certification

view more

ASEH prioritizes cybersecurity issues, identifying internal and external risks, and developing and promoting various key response strategies. It has earned recognition with international cybersecurity certifications, including ISO 27001, ISO 22301, ISO 15408, ISO 21434, IEC 62443, GSMA, and others. Through continuous management of corporate operations and adherence to international information security standards, ASEH rigorously reviews and optimizes cybersecurity workflows and management measures, enhancing operational resilience. This comprehensive approach safeguards smart manufacturing security and sustains competitive advantages for the company.

ISO 27001

To build a stable and robust foundation for the IT environment, ASE Kaohsiung, ASE Chungli, ASE Shanghai (Material), SPIL, and USI continue to improve and implement cybersecurity risk management targeting critical information systems that are essential to the operation of crucial facilities.

ISO 22301

ASE Kaohsiung and SPIL have successively obtained the BCMS (business continuity management  system) ISO22301 certification to strengthen crisis management and disaster response.

ISO 15408

ASE Kaohsiung, Chungli and Singapore have been certified to EAL6, the highest level of security certification, creating a manufacturing environment and management system that comply with international standards for safe products and enhancing the safety management mechanisms for product transportation. We provide cybersecurity guarantees for manufacturing processes such as packaging and testing to offer better customer service.

ISO 21434

ASE Kaohsiung is the first semiconductor assembly and testing facility in the world to receive the ISO/SAE 21434 international automotive network security standard certification with 100% compliance certified by TUV NORD of Germany.

IEC 62443-2-1

ASE Kaohsiung successfully completed the German TUV NORD’s professional evaluation and obtained the IEC 62443-2-1 certification, becoming the very first company in the Taiwan semiconductor industry to receive the certification.

GSMA

ASE Kaohsiung has  passed the mobile communication security certification standard and obtained the GSMA certification. As a manufacturer, it completed a comprehensive audit of the production sites and processes to comply with the UICC production safety standard (GSMA SAS-UP).

Information Security Measures Promote Results

ASEH approaches internal initiatives from a corporate governance perspective, establishing information security policies, conducting regular cybersecurity drills, providing cybersecurity education and awareness training for employees to enhance overall security awareness. It invites representatives from industry, government, and academia to share international cybersecurity developments regularly, increasing crisis responsiveness. Externally, ASEH actively participates in international cybersecurity organizations such as FIRST, TWCERT/CC Taiwan Cyber Security Alliance, and High-Tech Cyber Security Alliance. Through these communication channels, it shares the latest trends and action plans with industry peers and supply chain partners, elevating cybersecurity protection levels. Simultaneously, by aligning certification efforts with international standards, ASEH strives to mitigate cybersecurity threats, ensuring secure operations and fostering long-term, solid partnerships with customers and supply chain partners to provide more comprehensive and refined services.


Information Security Investment and Results in 2024

Cybersecurity Policies, Organizations, and Goals

  • Established the Corporate Sustainability and Information Security Committee

  • Zero material cybersecurity incidents

  • Formulated three cybersecurity goals for 2030

  • Convened four ASEH cybersecurity team meetings

Information Security Implementation and Safeguards

  • Implementation of one ASEH Information Security Management System

  • NIST CSF maturity assessment for 25 sites

  • Conducted red team assessment at 5 sites

  • Provided monthly BitSight security rating reports

  • OT cybersecurity assessment at 7 sites

  • Conducted internal audits based on NIST CSF and ISO 27001 frameworks

  • Two cybersecurity incident drills

  • Providing cybersecurity educational training to 147,289 individuals

  • Accumulating 89,371 hours of cybersecurity educational training

  • Ongoing cybersecurity insurance coverage

  • Conducting cybersecurity assessments for 76 suppliers

Cybersecurity Certification

  • ISO 27001 certified (ISMS): ASE Kaohsiung(TUV NORD), ASE Chungli(TUV NORD), ASE Shanghai Material(TUV NORD), ASE Korea(LRQA), SPIL(BSI), and USI Nantou(AMERICO)

  • ISO 22301 certified (BCMS): ASE Kaohsiung(BSI), SPIL(BSI) and USI Nantou(DQS)

  • ASE Kaohsiung certified with IEC 62443-2-1(TUV NORD)

  • ISO 15408 EAL6 highest-level certification: ASE Kaohsiung (BSI), ASE Chungli(ANSSI), and ASE Singapore (BSI)

Other topics

Other topics

Talent Attraction and Retention

Talent Recruitment

learn more

Corporate Sustainability Policy

Pioneering Sustainability, Powering Tomorrow

learn more

Biodiversity

Promote the well-being of human and safeguarding our planet

learn more

Sustainable Supply Chain Management

Supplier Sustainability Management Approach

learn more

Intellectual Property Management

Unlocking innovation and safeguarding excellence

learn more

Social Involvement

Stimulate positive social change

learn more

Environmental Conservation

Environmental Conservation

learn more

Supplier Sustainability Awards

Supplier Sustainability Awards

learn more

Green Facility

Realizing the determination of green transition

learn more

Occupational Health and Safety

Diverse Talents, United Excellence

learn more

Industry-Academia Collaborations

Industry-Academia Collaborations

learn more

Stakeholder Communication

Uniting Stakeholders for Impactful Change

learn more

Climate Leadership

Transitioning towards Low-Carbon Resilience

learn more

Conflict Minerals Compliance

Corporate Policy for Sourcing Conflict Minerals

learn more

Talent Cultivation and Development

Talent Cultivation and Development

learn more

Business Conduct and Ethics

Good corporate citizenship and social responsibility

learn more

Community Engagement

Community Engagement

learn more

Sustainability Strategies

Building a Better Future, Together

learn more

Diversity in Human Resources

Diverse Talents, United Excellence

learn more

Regulatory Compliance

Compliance at the Core: Upholding Laws, Guiding Principles

learn more

Water Resource Management

Water Risk Assessment

learn more

Risk Management

Risk Management Policies and Procedures

learn more

Public Advocacy

Public Advocacy and Management Framework

learn more

Supply Chain Management Framework

Supply Chain Management Organization

learn more

Organization & Structure

Fostering Organizational Excellence

learn more

Sustainable Manufacturing

Eco-Efficiency Through Sustainable Manufacturing

learn more

Smart Factories and Automation

Higher customer satisfaction in quality and delivery

learn more

SDGs & TIMM

Shaping Tomorrow's Value

learn more

Succession Planning

Risk Management Policies and Procedures

learn more

Human Rights Management

Committed to Human Rights, Sustainability, and Responsibility

learn more

Environmental Management System

Towards a Greener and Better Future

learn more

Waste Management

Waste Generation and Recycling

learn more